Re: [fw-wiz] tunnel vs open a hole

From: Frank Knobbe (fknobbe@knobbeits.com)
Date: 04/08/03

  • Next message: Weil, Timothy R (BearingPoint): "[fw-wiz] RFC3514 - Evil Bit"
    From: Frank Knobbe <fknobbe@knobbeits.com>
    To: Dave Piscitello <dave@corecom.com>
    Date: 08 Apr 2003 15:34:15 -0500
    

    On Tue, 2003-04-08 at 12:16, Dave Piscitello wrote:
    > [...]
    > No one discussed the benefits of using an encrypted, authenticated
    > tunnel (SSL, SSH, ...), which do provide additional controls.
    > [...]

    At the same time, some tunnels have certain drawbacks. Depending on what
    tunnel you use, you may not know the senders IP address. For example, if
    you use SSH to forward ports, you don't get the source's IP address (it
    depends how you forward, most of the time the request would be coming
    from 127.0.0.1). I'm not sure about ZBD but I believe it works the same
    way. You would have to check the SSH/ZBD/yourtunnel logs, but that only
    shows you a general connection or the tunnel endpoint, not related or
    associateable to the real request (e.g. tcp port or sequence numbers),
    or to the host behind the endpoint.

    That 'hiding' behind tunnel endpoints can't be a benefit :)

    Cheers,
    Frank

    
    

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



  • Next message: Weil, Timothy R (BearingPoint): "[fw-wiz] RFC3514 - Evil Bit"